Bulletin ID: 2026-012-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 04/2/2026 11:30 AM PST

Description:

Kiro IDE is an agentic development environment that makes it easy for developers to ship real engineering work with the help of AI agents.

We identified CVE-2026-5429, where unsanitized input during web page generation in the Kiro Agent webview in Kiro IDE before version 0.8.140 allows a remote unauthenticated threat actor to execute arbitrary code via a maliciously crafted color theme name when a local user opens the workspace. This issue requires the user to trust the workspace when prompted.

Impacted versions:  < 0.8.140

Resolution:

This issue has been addressed in Kiro IDE version 0.8.140. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Acknowledgement:

We would like to thank Dhiraj Mishra for collaborating on these issues through the coordinated disclosure process.

Reference:

• https://www.cve.org/CVERecord?id=CVE-2026-5429
• https://kiro.dev/changelog/ide/0-8/#patch-0-8-140

 

Please email aws-security@amazon.com with any security questions or concerns.